Using MFA via OTP with USAA

USAA now allows you to login using OTP instead of your traditional PIN. This a great step forward in keeping your account secure. However there are a few drawbacks in the way it was implemented.

First they have decided to give a proprietary name and labelled it CyberCode. This is just confusing and in my opinion irresponsible. It only adds to the sea of terms out there that already make it hard for the layman to understand. In my opinion, they should focus on educating users about established standards and their existing names instead of creating new ones.

They allow two options for OTP, the old skool code-via-sms method where they send you an SMS every time you want to login. The other is via some Symantec authentication app. This is fine unless you already have an authenticator app you’d like to use such as 1Password, Authy, etc.

I myself have recently switched to using 1Password to generate my OTPs. Once I found out that USAA would let me use them, I set out to find a way to make it work without having to install another authenticator as USAA wants you to do for no apparent reason. The main issue is that instead of generating a QR code that your authenticator can scan, USAA requires you to enter a Credential ID provided by the Symantec app. A quick google led me to a helpful post in 1Password’s community site. It pointed me to a Github repo that ultimately allows me to generate a QR code based off a Symantec ID that can then be used by most other authenticators.

So, here’s the stuff you really care about. This simple gist walks you through creating a QR code that you can use for your preferred authenticator.